7 Replies Latest reply on Apr 27, 2016 12:01 PM by Toby Erkson

    Trusted authentication process not working (?)

    Toby Erkson

      I have a Tableau Server named TEST.  It is set up exactly like our QA and PROD Tableau Servers.  The only difference is the hardware, being four cores as this is my test machine and users aren't allowed to log on to it.  It's my test and beta machine and I remote desktop into it just like the others when I work on it.

       

      Right now I've installed VizAlerts but am getting a trusted ticket error.  I read this page Testing Trusted Authentication | Tableau Software .  I have no web servers to add because I don't have to tabadmin set wgserver.trusted_hosts to add to any of my servers.  So I ran the test script and it is returning -1.  When I run the same test script on my other two Servers I get a trusted ticket unique ID.

       

      Referencing this page in the Admin Guide Ticket Value of -1 Returned from Tableau Server :

      I have no web server host names/IP addresses to add.

      I'm not using IPv4 addresses

      The username I'm using is my own and it's in the TEST Server and is valid.  The role is System Administrator.

      With or without the domain attached the test still fails.

       

      What's going on?  What else should I check/test?

       

       

      < edit > Here's the code used from the above link for checking if trusted authentication is working:

      <html>
      <head>
          <title>Trusted Ticket Requester</title>
          <script type="text/javascript">
              function submitForm(){document.getElementById('form1').action = document.getElementById('server').value + "/trusted";}
          </script>
          <style type="text/css">
              .style1 {width: 100%;}
              .style2 {width: 429px;}
              #server { width: 254px; }
          </style>
      </head>
      <body>
          <H3>Trusted Ticketer</H3>
          <form method="POST" id="form1" onSubmit="submitForm()">
              <table class="style1">
                  <tr>
                      <td class="style2">Username:</td>
                      <td><input type="text" name="username" value="" /></td>
                  </tr>
                  <tr>
                      <td class="style2">Server:</td>
                      <td><input type="text" id="server" name="server" value="http://" /></td>
                  </tr>
                  <tr>
                      <td class="style2">Client IP (optional):</td>
                      <td><input type="text" id="client_ip" name="client_ip" value="" /></td>
                  </tr>
                  <tr>
                      <td class="style2">Site: (leave blank for Default site, else NameOfSite if using sites)</td>
                      <td><input type="text" id="target_site" name="target_site" value="" /></td>
                  </tr>
                  <tr>
                      <td class="style2"><input type="submit" name="submittable" value="Go" /></td>
                      <td></td>
                  </tr>
              </table>
          </form>
          <H4>Be sure to add your IP as a Trusted IP address to the server</H4>
      </body>
      </html>
      
        • 1. Re: Trusted authentication process not working (?)
          Matt Coles

          Heya Toby! What do you mean by "I have no web servers to add because I don't have to tabadmin set wgserver.trusted_hosts to add to any of my servers." ? Even if you're running it from your local Tableau Server host, you'll still need to tell Tableau Server to trust its own IP address, if you're requesting the ticket from that host.

           

          If that's not it, check out the logs. From the article:

           

          The exact reason for this message is written to the file production*.log in the following folder:

          ProgramData\Tableau\Tableau Server\data\tabsvc\logs\wgserver

          and to the vizql*.log in the following folder:

          ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver

          • 2. Re: Trusted authentication process not working (?)
            Toby Erkson

            Matt Coles wrote:

             

            Heya Toby! What do you mean by "I have no web servers to add because I don't have to tabadmin set wgserver.trusted_hosts to add to any of my servers." ? Even if you're running it from your local Tableau Server host, you'll still need to tell Tableau Server to trust its own IP address, if you're requesting the ticket from that host...

            I haven't had to do this before

            Matt Coles wrote:

            ...

            If that's not it, check out the logs. From the article:

             

            The exact reason for this message is written to the file production*.log in the following folder:

            ProgramData\Tableau\Tableau Server\data\tabsvc\logs\wgserver

            and to the vizql*.log in the following folder:

            ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver

            I did and found nothing

            I'm confused with the production*.logs because they just shows settings.  ???

            vizql-0.log*:

            2016-04-26 06:45:25.160 -0700 (Default,,-,Vx9w9aoCRBUAAA8gNGkAAAFx) catalina-exec-19 : ERROR wgsessionId=com.tableausoftware.model.workgroup.service.TrustedTicketServiceImpl - Invalid request host: 10.3.24.1.
            

            But the IP address is correct for my TEST Server.  For grins I executed tabadmin set wgserver.systeminfo.allow_referrer_ips 10.3.24.1, config'd and restarted and still got the same error in the log when I enabled VizAlerts in the Windows Task Scheduler.

            I didn't find anything of interest in the vizalerts.log, either.

             

             

             

            *IP address changed to protect the innocent.

            • 3. Re: Trusted authentication process not working (?)
              Matt Coles

              So, you should be able to resolve the issue by:

               

              tabadmin set wgserver.trusted_hosts 10.3.24.1

              tabadmin configure

              tabadmin restart

               

              I've always had to add the IP of whatever host I'm using for trusted ticket requesting / redemption to the trusted list, even when running it locally. I'd be interested to know why it does work when you haven't done so!

              2 of 2 people found this helpful
              • 4. Re: Trusted authentication process not working (?)
                Toby Erkson

                Thanks Matt, that did the trick! (psst! VizAlerts 1.1.0 is now running on it but w/o pypdf2).

                 

                Odd that this Tableau Server needs it to be specified while my other two do not.  My TEST Server OS is Windows Server 2012 R2 while my other two Servers are Windows Server 2008 R2.

                 

                < edit > I did a search on my PROD Server for "wgserver.trusted_hosts" and it appeared in my backgrounder*.txt files at location D:\Application\Tableau\Tableau_Server\data\tabsvc\vizqlserver\Logs\ (Replace our D:\Application\Tableau\Tableau_Server with Tableau's default ProgramData\Tableau\Tableau Server).  I used Agent Ransack to search the whole Tableau_Server folder AND sub-folders and that's the only location where they appeared.

                Running Agent Ransack on my TEST Server now shows multiple locations of "wgserver.trusted_hosts" and now contains the server's IP (yesterday's results are there, too, but don't show an IP address):

                • 5. Re: Trusted authentication process not working (?)
                  Matt Coles

                  I'll ask the powers that be what the definitive answer is (assuming there is none, then I'll try and figure out what variables might cause the behavior you encountered).

                   

                  re: VizAlerts 1.1.0...nice! I'll see if I can create a zip of all the modules needed. Agreed that it would be easier.

                  • 6. Re: Trusted authentication process not working (?)
                    Matt Coles

                    Toby, is the server value in your vizalerts.yaml config file set to a name that resolves to a proxy or load balancer? e.g., if the value you have set is something like "tableautest.daimler.com" or somesuch, then does that request go straight to your Primary host, or does it go through any other systems first?

                     

                    Basically, after trying to absorb comprehensive info from the illustrious Dan Scott the answer to whether or not your Tableau Server will trust requests for trusted tickets sent directly to it from it's own primary host depends on what Tableau Server thinks the originating IP address is, which in turn is determined by:

                     

                    • What systems lie in between the machine requesting the ticket, and the Server itself (it may go through these even if you issue the request from the Primary)
                    • What systems you've told Tableau Server to "trust" (not in the trusted ticket sense, but in the "yes this is a valid proxy" sense) via the config settings:
                      • gateway.public.host

                      • gateway.public.port

                      • gateway.trusted

                      • gateway.trusted_hosts

                     

                    So there can be several reasons why the IP address that Server tries to compare to the whitelist in wgserver.trusted_hosts may not be the one you expect.

                     

                     

                     

                    • 7. Re: Trusted authentication process not working (?)
                      Toby Erkson

                      The server value is the Tableau Server itself, so it is pointing to the server itself.  This is the same way my other two are set up.

                       

                      I've updated my Tableau Server batch script -- a setup script that is essentially the same to all Tableau Server environments here (extract execution time limit, VizQL idle time, etc) -- to trust itself (?).

                       

                      Hmm...both "old" Servers started life with version 7.  Maybe the trust occurred back then and propagated through the years?  This TEST Server is brand-new so it doesn't have the legacy of prior versions.